Vulnerabilities Come in Waves

Posted on May 4th, 2018 by Harold Byun, VP Products

VULNERABILITY WAVE EXAMPLES

In April 2014, a two year old zero day vulnerability was discovered in OpenSSL. Heartbleed represented a new finding in TLS implementationsthat exposed over 800,000 websites to the exposure. In the subsequent months through 2014, four additional vulnerabilities were uncovered that allowed for potential unauthorized access to data via man-in-the-middle attacks (MITM) or other methods — POODLE likely being one of the more prevalent ones uncovered.

In April 2016, there was a significantarbitrary code execution vulnerability discovered in Apache Struts. At the time, this event barely registered a blip in the news outside of NVD, MITRE and security focused organizations. Over the next 15 months, there were, coincidentally, 15 additional code execution or privilege escalation vulnerabilities uncovered in Apache Struts. Perhaps the most notable being CVE-2017-5638 published in March 2017, which has been recognized as the initial exploit for the Equifax hack.

These new hardware-based vulnerabilities will create multiple challenges in that they take longer to fix and patch, and as companies move to cloud providers, there are no guarantees for what hardware the applications are running on. Put another way, the ground we thought we were all standing on to process our data, doesn’t seem as stable we once thought. The wave has now graduated to a “class” of vulnerabilities.